What are the default nmap options?

networking port tcp nmap

5,056

per the man, the default scan with no other options specified varies based on user privledge.

for Privledged users, the default option is the -sS scan:

TCP SYN scan: This technique is often referred to as "half-open" scanning, because you don’t open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and you wait for a response. A SYN|ACK indicates the port is listen- ing. A RST is indicative of a non-listener. If a SYN|ACK is received, a RST is immediately sent to tear down the connection (actually our OS kernel does this for us). The primary advantage to this scanning technique is that fewer sites will log it. Unfortunately you need root privileges to build these custom SYN packets. This is the default scan type for privileged users.

and for unpriledged users, the default option is the -sT scan:

TCP connect() scan: This is the most basic form of TCP scanning. The connect() system call provided by your operating system is used to open a connection to every interesting port on the machine. If the port is listening, connect() will succeed, oth- erwise the port isn’t reachable. One strong advantage to this technique is that you don’t need any special privileges. Any user on most UNIX boxes is free to use this call.

This sort of scan is easily detectable as target host logs will show a bunch of connection and error messages for the services which accept() the connection just to have it immediately shut- down. This is the default scan type for unprivileged users.

so thats two of your profiles right there.

5,056

user1459339

Updated on September 18, 2022

Comments

user1459339 over 1 year
Which options are used by default, when the user fires
```
# nmap target
```
without any explicit option?

I am going to write the defaults of the three options I consider the most important. It would be nice to have all the default options, probably with some short commentary on when it is appropriate to change them.

The most important distinction I can think of is, that under root a TCP SYN scan (-sS) is used by default, while under regular user it uses TCP Connect() scan (-sT), as it has not privileges to work with raw packets.

Second think are the target (TCP) ports. The docs says, that "Normally Nmap scans the most common 1,000 ports for each scanned protocol". I presume these are some selected ports lower than 1024, probably known services.

The last thing of interest are scan timings, for IDS evasion.
```
-T paranoid|sneaky|polite|normal|aggressive|insane (Set a timing template)
```
The default is of course
```
-T3
```
or
```
-T normal
```
- Frank Thomas almost 8 years
  
  the "top 1000 ports" are defined per the nmap-services file. nmap.org/book/nmap-services.html They were originally based on the well known ports (<1024), but the list has been expanded and lesser used ports under 1024 have gotten knocked off the list.
user1459339 almost 8 years

Yes, but that's just the scan type. What about other options, for example the timing. The default is -T3, but there are -T1,-T2,-T4,-T5 as well and I am sure the situation is similar with other options.
chefarov about 5 years

Because by default nmap tries only the top 1000 TCP/UDP ports. By specifying -p 2080 you overwrite that option and scan specifically for 2080. By specifying -p- it scan all 65535 ports.